> For the complete documentation index, see [llms.txt](https://sallam.gitbook.io/sec-88/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sallam.gitbook.io/sec-88/web-appsec/services-based-pentest-checklist.md).

# Services Based Pentest Checklist

<details>

<summary><strong>Symfony PHP</strong></summary>

* [ ] Symfony Profiler Enabled

```
/app_dev.php
/app_dev.php/_profiler
/_profiler
/_profiler/latest
/_profiler/search
/_profiler/phpinfo
/_profiler/{token}
/_wdt/{token}
/app_example.php
/app_test.php
/index_dev.php
/config.php
/_configurator/
/_configurator/steps
/_configurator/step/{index}
```

</details>

<details>

<summary><strong>Laravel</strong></summary>

* [ ] Laravel Debug Mode / Telescope / Ignition / Horizon / Pulse

```
/.env
/_debugbar
/_debugbar/open
/_debugbar/clockwork/{id}
/telescope
/telescope/requests
/telescope/exceptions
/ignition/execute-solution
/ignition/update-options
/horizon
/horizon/api/*
/pulse
```

</details>

<details>

<summary><strong>WordPress</strong></summary>

* [ ] WordPress Debug / Config / XMLRPC / Users Enum

```
/wp-config.php
/wp-config.php~
/wp-config.php.bak
/wp-config.php.old
/wp-admin/install.php
/xmlrpc.php
/wp-json/wp/v2/users
/wp-json/wp/v2/users/{id}
/readme.html
/license.txt
/wp-includes/version.php
```

</details>

<details>

<summary><strong>Django</strong></summary>

* [ ] Django Debug Mode / Admin / Debug Toolbar

```
/.env
/admin
/admin/login
/debug
/__debug__
/static/debug_toolbar/
/djdt/
/djdt/debug_toolbar
```

</details>

<details>

<summary><strong>Rails</strong></summary>

* [ ] Rails Console / Info / DB / Pwned

```
/rails/info/properties
/rails/console
/rails/db
/pwned
/.env
/config/database.yml
```

</details>

<details>

<summary><strong>Express.js / Node.js</strong></summary>

* [ ] Debug Routes / Env / Config Exposure

```
/.env
/debug
/trace
/env
/config
/status
/version
```

</details>

<details>

<summary><strong>Flask</strong></summary>

* [ ] Flask Debug Mode / Console

```
/.env
/console
/debug
/flask.debug
/_debug
```

</details>

<details>

<summary><strong>GraphQL</strong></summary>

* [ ] Introspection Enabled / IDEs

```
/graphql
/graph
/graphiql
/graphql/console
/graphql.php
/graphiql.php
/api/graphql
/v1/graphql
/v1/explorer
/v1/graphiql
/altair
/playground
/graphql-playground
/graphiql/fiddle
```

</details>

<details>

<summary><strong>Next.js</strong></summary>

* [ ] Next.js Debug / Env / Dev Files

```
/.env
/.env.local
/.env.production
/_next/static/development
/api/debug
/.next/
```

</details>

<details>

<summary><strong>Strapi</strong></summary>

* [ ] Strapi Admin / Dashboard / Env

```
/admin
/dashboard
/.env
/strapi
/plugins/users-permissions
```

</details>

<details>

<summary><strong>Spring Boot</strong></summary>

* [ ] Actuator Endpoints / Jolokia / Hawtio

```
/actuator
/actuator/env
/actuator/beans
/actuator/mappings
/actuator/health
/actuator/info
/actuator/heapdump
/actuator/threaddump
/actuator/loggers
/actuator/conditions
/jolokia
/jolokia/exec
/hawtio
/api/hawtio
```

</details>

<details>

<summary><strong>ASP.NET</strong></summary>

* [ ] Debug / Trace / Config Exposure

```
/trace.axd
/elmah.axd
/Web.config
/web.config.bak
/web.config~
/App_config/connectionStrings.config
```

</details>

<details>

<summary><strong>PHP General</strong></summary>

* [ ] PHP Info / Config / Backups

```
/phpinfo.php
/info.php
/test.php
/php.ini
/php.ini~
/php.ini.bak
/server-status
/server-info
```

</details>

<details>

<summary><strong>Apache</strong></summary>

* [ ] Server Status / Info / Mod Pages

```
/server-status
/server-info
/mod_status
/.htaccess
/.htpasswd
```

</details>

<details>

<summary><strong>Nginx</strong></summary>

* [ ] Status / Stub Status

```
/nginx_status
/status
/stub_status
```

</details>

<details>

<summary><strong>Tomcat</strong></summary>

* [ ] Manager / Host Manager / Examples

```
/manager/html
/host-manager/html
/examples
/docs
/admin
```

</details>

<details>

<summary><strong>Kibana</strong></summary>

* [ ] Kibana Dashboard / Timelion / Console

```
/app/kibana
/app/timelion
/app/console
/api/console
```

</details>

<details>

<summary><strong>Elasticsearch</strong></summary>

* [ ] Cluster Info / Indices / Cat APIs

```
/_cat
/_cat/indices
/_cat/nodes
/_cluster/health
/_nodes/stats
/*/_search
```

</details>

<details>

<summary><strong>MongoDB</strong></summary>

* [ ] Mongo Express / Admin UI

```
/dbadmin
/mongo
/admin/mongo
/me
```

</details>

<details>

<summary><strong>Redis</strong></summary>

* [ ] Redis CLI / Web UI

```
/redis
/phpredisadmin
/redis-cli
```

</details>

<details>

<summary><strong>Docker</strong></summary>

* [ ] Docker API / Registry / Swarm

```
/_ping
/v1.41/info
/v1.41/containers/json
/v2/_catalog
```

</details>

<details>

<summary><strong>Swagger / OpenAPI</strong></summary>

* [ ] Swagger UI / OpenAPI Docs Exposure

```
/swagger
/swagger-ui
/swagger-ui.html
/swagger-ui/index.html
/api-docs
/v2/api-docs
/v3/api-docs
/openapi.json
/openapi.yaml
/redoc
```

</details>

<details>

<summary><strong>Grafana</strong></summary>

* [ ] Grafana UI / Public Dashboards / Health

```
/grafana
/grafana/login
/grafana/public-dashboards
/public-dashboards
/api/health
/api/search
```

</details>

<details>

<summary><strong>Prometheus</strong></summary>

* [ ] Prometheus UI / Targets / Metrics

```
/graph
/targets
/service-discovery
/metrics
/api/v1/status/config
/api/v1/targets
```

</details>

<details>

<summary><strong>phpMyAdmin / Adminer</strong></summary>

* [ ] Database Admin Panels Exposed

```
/phpmyadmin
/phpMyAdmin
/pma
/dbadmin
/adminer
/adminer.php
```

</details>

<details>

<summary><strong>MinIO</strong></summary>

* [ ] MinIO Console / Health Endpoints

```
/minio
/minio/login
/minio/health/live
/minio/health/ready
```

</details>

<details>

<summary><strong>General Misconfig Checks</strong></summary>

* [ ] Environment Files

```
/.env
/.env.local
/.env.production
/.env.example
/config.php
/configuration.php
/settings.php
```

* [ ] Backup / Source Files

```
/*.bak
/*.old
/*.txt
/*~
/backup
/backups
/*.sql
/*.zip
/*.tar.gz
```

* [ ] Directory Listing / Uploads

```
/uploads/
/files/
/assets/
/static/
/media/
/user_uploads/
```

* [ ] Git / SVN Exposure

```
/.git/
/.git/HEAD
/.git/config
/.svn/entries
/.hg/
```

</details>

<details>

<summary>Postman API Platform</summary>

* [ ] Public Workspaces

```
https://www.postman.com/{companyName}/?tab=workspaces
```

</details>

<details>

<summary>Salesforce</summary>

* [ ] Salesforce Lightning Aura Components Enabled

```
- Test:
POST /aura HTTP/2
Host: {TARGET}.lightning.force.com
Content-Type: application/json

{}
------------------------
- FQDNs:
*.force.com
*.secure.force.com
*.live.siteforce.com
---------------------------
- Other Endpoints
/sfsites/aura
/s/sfsites/aura
```

</details>

<details>

<summary>Trello</summary>

* [ ] View Permissions on Trello Boards

```
site:trello.com "company"
https://trello.com/b/{BOARD_ID}
```

</details>

<details>

<summary>Figma</summary>

* [ ] View access misconfiguration

```
https://www.figma.com/file/{DesignID}/{DesignFileName}
```

</details>

<details>

<summary>Freshworks Freshservice</summary>

* [ ] Open User Registration

```
https://<companyName>.freshservice.com/support/signup
```

</details>

<details>

<summary>Slack</summary>

* [ ] No Admin Approval for Invitations

To check if you have permissions to invite a new member:

1. Sign in to your Slack Workspace
2. Open any channel
3. Click on **Add people**
4. A popup will open up, enter the user's email address
5. Finally, click **Add**

These reproduction steps prove that you're able to invite new members without approval from an administrator.

![](https://bugology.intigriti.io/misconfig-mapper-docs/~gitbook/image?url=https%3A%2F%2F867675796-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FHax8VYP6nSo5n66iSR0Z%252Fuploads%252Fgit-blob-de8e86fddf7e79b52a5ffa21a075887e53797106%252Fimage%2520%285%29.png%3Falt%3Dmedia\&width=768\&dpr=4\&quality=100\&sign=3559249d\&sv=2)

</details>

<details>

<summary>Atlassian Bitbucket</summary>

* [ ] Publicly Accessible Private Repositories

```
https://bitbucket.org/{WORKSPACE_ID}
site:bitbucket.org inurl:/workspace/projects
```

</details>

<details>

<summary>Atlassian Confluence</summary>

* [ ] [Anonymous access to Remote API](https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-confluence/anonymous-access-to-remote-api)

{% code overflow="wrap" %}

```http
## XML-RPC HTTP Request to retrieve a specific page for example:
POST /rpc/xmlrpc HTTP/1.1
Host: confluence.example.com
Content-Type: text/xml
...

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
 <methodName>confluence2.getPage</methodName>
 <params>
  <param>
   <value>
    <string>{SPACE_KEY}</string>
   </value>
  </param>
  <param>
   <value>
    <string>{PAGE_TITLE}</string>
   </value>
  </param>
 </params>
</methodCall>

--------------------------------
## Curl:
curl -X POST -H 'Content-Type: text/xml' -d '<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>confluence2.getPage</methodName><params><param><value><string>{SPACE_KEY}</string></value></param><param><value><string>{PAGE_TITLE}</string></value></param></params></methodCall>' http://confluence.example.com/rpc/xmlrpc

------------------------------------
## SOAP: /rpc/soap-axis/confluenceservice-v2
```

{% endcode %}

* [ ] [Disabled XSRF Protection](https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-confluence/disabled-xsrf-protection)

{% code overflow="wrap" %}

```
In case XSRF Protection is turned off, bad actors could post comments on other user's behalf by just sending them a link to an attacker controlled site that replicates the POST request.
```

{% endcode %}

* [ ] [User Email Visibility](https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-confluence/user-email-visibility)

{% code overflow="wrap" %}

```
There is no specific testing procedure for this misconfiguration. Email addresses are visible next to the user's name on posts for example.
```

{% endcode %}

* [ ] [Misconfigured Spaces](https://github.com/intigriti/misconfig-mapper-docs/blob/gitbook/services/atlassian-confluence/misconfigured-spaces.md)

{% code overflow="wrap" %}

```
Visit the following application route to check if anonymous users can view and read any information on Confluence Spaces:

https://<companyName>.atlassian.net/wiki/spaces
```

{% endcode %}

</details>

<details>

<summary>Atlassian Jira</summary>

* [ ] [Open User Registration](https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-jira/open-user-registration)

{% code overflow="wrap" %}

```
You can cross-check if user registration is open for anyone by navigating to the following app route:

/secure/Signup!default.jspa
```

{% endcode %}

* [ ] [Misconfigured Email Visibility](https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-jira/atlassian-jira-email-visibility)

{% code overflow="wrap" %}

```
Open up any user's profile in your Jira instance as an anonymous user and verify that you can view the email address of the user.
```

{% endcode %}

* [ ] [Open Service Desk registration](https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-jira/atlassian-jira-service-desk-open-signups)

{% code overflow="wrap" %}

```
Navigate to the following app route and check if signups are enabled:

/servicedesk/customer/user/login
```

{% endcode %}

</details>

<details>

<summary>AWS S3</summary>

* [ ] Misconfigured List Permissions

```
aws s3 ls s3://{BUCKET_NAME} --no-sign-request
```

</details>

<details>

<summary>Cloudflare R2</summary>

* [ ] R2.DEV Enabled

{% code overflow="wrap" %}

```
You can make use of search syntaxis supported by several popular search engines like Google to enumerate R2 buckets belonging to your target company or organization:

site:.r2.dev "company"
```

{% endcode %}

</details>

<details>

<summary>Google Groups</summary>

* [ ] Misconfigured read permissions

```
site:groups.google.com "{companyName}"
```

</details>

<details>

<summary>Google Docs</summary>

* [ ] Misconfigured read permissions

```
https://docs.google.com/document/d/{documentId}/edit
```

</details>

<details>

<summary>Google Cloud Storage Bucket</summary>

* [ ] Misconfigured access controls

{% code overflow="wrap" %}

```
https://{companyName}.storage.googleapis.com/
https://storage.googleapis.com/{companyName}

Indexing can also be allowed, to cross-check, you can make use of search filters that search engines like Google provide:

site:storage.googleapis.com "{companyName}"
```

{% endcode %}

</details>

<details>

<summary>Google OAuth</summary>

* [ ] Unrestricted email domains

{% code overflow="wrap" %}

```
https://accounts.google.com/o/oauth2/v2/auth?
  response_type=code&
  client_id=1234.apps.googleusercontent.com&
  ...
  hd=company.com

--------------------------------
Change it to example.com:
--------------------------------

https://accounts.google.com/o/oauth2/v2/auth?
  response_type=code&
  client_id=1234.apps.googleusercontent.com&
  ...
  hd=example.com
```

{% endcode %}

</details>

<details>

<summary>Jenkins</summary>

* [ ] Open Signups

```
- Enumerate jenkist subdomains
jenkist.domain.com

- Check those endpoints
/signup
/jenkins/signup
```

* [ ] Public Groovy Script Console

{% code overflow="wrap" %}

```bash
- Check if Groovy Script Console is publicly accessible:

/script

---------------------------------
- Test:

curl -s 'https://jenkins.{HOST}/script' -X 'POST' --data 'script={SCRIPT}'

or:

curl -s 'https://jenkins.{HOST}/scriptText' -X 'POST' --data 'script={SCRIPT}'
```

{% endcode %}

</details>

<details>

<summary>GitLab</summary>

* [ ] Gitlab Private Source Code Snippets Exposed

{% code overflow="wrap" %}

```
/explore/snippets
```

{% endcode %}

</details>

<details>

<summary>Drupal</summary>

```
- Brute Force IDs
/node/{ID}
```

</details>

### Automation

{% embed url="<https://bugology.intigriti.io/misconfig-mapper-docs>" %}
